Skillset

To the uninitiated, Tor, formerly known as The Onion Router, is probably the most popular proxy network for internet anonmyzing. It’s called an onion router because traffic goes through many layers of encrypting servers. The gateway IP of the user and the destination IP are also encrypted, as opposed to being in plain text. The internet server destiination is supposed to only see the IP of the exit node. That’s supposed to prevent users from being identifiable via server logs, whereas traffic being encrypted at all points is supposed to prevent eavesdropping.

Tor has had its ups and downs ever since the first alpha was released in 2002. In 2011 and 2012, Tor had a big surge in users. Software packages, like the Tor web browser bundle, which uses a customized Aurora version of Firefox and Vidalia as the GUI to control Tor connectivity, helped enhance the accessibility of the service. Tor has been very helpful for uses like allowing tech savvy Chinese overcome the “Great Firewall of China,” and protecting the work of investigative journalists. Edward Snowden famously used Tor to inform The Guardian and The Washington Post about PRISM last year.

But as websites can also be hosted on Tor, often using the .onion top level domain, it’s been a haven for child pornography websites. Less harmfully, but still controversial, was The Silk Road, a sort of “eBay” for illegal drugs. The site ran somewhat successfully for a couple of years, but the DEA and the FBI were able to get it shut down last year. As far as the child pornography sites go, a number of members of Anonymous have been able to gather intel on many of them, and send it to the authorities. Of all the hacktivism done in the name of Anonymous or LulzSec, that has got to be the action most popular with the general public. Tor websites are only accessible by web browsers connected through Tor.

My first experience with Tor was when I installed the browser bundle in early 2012, and gave it a spin, just for fun. A nice UX feature is that a preset message page in your browser will tell you if you’ve successfully connected. From that point on, connectivity to Tor can be toggled via Vidalia. But you can’t be sure your browser is using Tor until you get that message.

Illustration 1: Via Wikimedia Commons

It took me a few hours to find a working URL for The Silk Road, as it was constantly changing, for obvious reasons. When I did find a current URL, looking at the website was kind of neat. Simply visiting The Silk Road, from Canada, in and of itself wasn’t illegal. It would only be problematic if I was caught having illegal substances mailed. I assure you, I didn’t go that far. The Silk Road only took Bitcoins, and I’ve never purchased them. Even though they were a lot more affordable then than now. But the experience certainly satiated my curiousity.

One experiential downside of Tor is that by having to go through all of those encrypting proxy servers, which are supposed to route traffic in a random way, is that you get really slow uploads and downloads, even if your ISP connection is very fast. But for users of Tor, the traffic slowdown is worth it.

An entire live Linux distro, Tails, is built to route all TCP/IP traffic through Tor.

One development that has excellerated the growth of Tor was when Adafruit released Onion Pi, a Tor server designed to run in the Raspbian OS on Raspberry Pi devices. The software is all free, and Raspberry Pi devices retail for $25 to $35, depending on the model. So, hobbyists who strongly believe in the Tor project can easily run a Tor server very inexpensively, even if they buy a Raspberry Pi to dedicate to that purpose.

But alas, Tor isn’t as secure as many people think it is.

The primary vulnerability is Tor’s exit nodes — the point in the Tor network where you access the target internet server. However many layers of encryption there are as your traffic travels Tor, the traffic from the exit node to the destination won’t be encypted unless you’re using an internet protocol with built-in encryption, such as HTTPS, and/or you’re using properly configured encryption software on your client machine. Even then, encyption is only as strong as its mathematics. If any point of encryption uses a symmetrical key or a bitlength of less than 128 bits, it’s pretty easy to crack, especially with a cluster or a botnet.

It’s probable, especially in the wake of the recent NSA revelations, that government agencies such as the NSA and CSIS sniff traffic on many exit nodes.

In 2007, Swedish security wizard Dan Egerstad was able to gather the email credentials for over 100 embassy and governmental accounts. He did so by hosting his own Tor exit nodes. There’s no barrier of entry for anyone to host an exit node, and all the necessary information is on Tor’s website. There’s always a legal risk involved, but governmental espionage agents and traditional blackhats aren’t going to be scared off by that. When users weren’t using secured internet protocols or weren’t encrypting data before they sent it, Egerstad was able to sniff that traffic off of his exit nodes just fine.

Last year, people were stunned to learn about one way that NSA was getting around Tor. A man they caught running exit nodes got a deal that would prevent him from facing criminal charges. He turned his nodes over to their use, to run malware through them to gather identifying information on Tor users.

Tor servers were encrypted with a very secure key, 1024 bits. But, speculating that it would cost the NSA a few million dollars each time they crack a key, they could have been cracking a few keys per day. That’s only a tiny fraction of Tor traffic, but especially considering if other intelligence agencies around the world and organized crime were doing that as well, there’s always a chance that a key you’ve used has been cracked. A few million dollars to crack one key would have to be targeted to a particular user though, so the risk was greatest if you’re in a position to draw attention to your activities. As of version 2.4 of Tor, released last year, Tor now uses elliptical curve cryptography. That’s supposed to be more secure than the DH algorithm they were using. As I’m not a cryptographer, I cannot go into detail about that. What does concern cryptographers is that Tor has yet to use 2048 bit RSA, which is supposed to be even more secure, and theoretically, it should be.

It’s been suggested via leaked documents that the NSA has cracked a fair amount of SSL, which is what encrypts HTTPS and other secured internet protocols. But keep in mind that SSL standards are always updated, so it’s another cat and mouse game.

Tor’s offical website confirms that they can’t protect against end-to-end attacks. That’s when someone is able to not only sniff an exit node, but the traffic that leaves your client to Tor, as well. If identifying details can be sniffed at both ends, a sniffer can confirm your internet targets, and probably the data in the packets being sent and received. That makes it ever more prudent to security-harden your machine, and to use encrypting software on your end.

Schneier on Security mentioned a gaping vulnerability in the Windows version of the Tor Browser Bundle. That vulnerability was patched on June 26th, 2013. But it’s certainly possible that there are vulnerabilities in various Tor client and server applications that have yet to become public knowledge. Patching vulnerabilities in every kind of software possible is a constant and evolving process. And by it’s very definition, zero-day attack vulnerabilties can’t be patched. But I’m impressed by Malwarebytes’ zero-day prevention software for Windows, which is still in public beta as of this writing. That kind of program can only do so much, but if they’re going to choose a platform to start the development of such a project, Windows is an excellent choice because it’s so prevalent and infamously insecure.

One hypothesis of mine is that the wide implementation of Onion Pi servers may have played a role in making Tor less secure. When the computer it runs on is so inexpensive, and so small (the size of other ARM boards, like the ones in smartphones), it’s possible for many hobbyists to run Tor relays without having much proxy server securing experience.

If you are going to use Tor, like I said, you should encrypt as much on your client end as you possibly can. Preferably, use a Linux or Unix/BSD distro. Still be aware of what the risks are.

You can also consider using a free VPN instead, such as justfreevpn.com. The machines and the infrastructure that implement a VPN are usually in-house, unlike Tor. But if you choose to do that, be prudent in doing your research on a particular VPN’s security before you decide to use it. You’d have to trust the party that runs the VPN of your choice. Even then, nothing is 100% secure, as that’s impossible.

As Tails is built to use Tor for all internet traffic, I hope their development team are looking into alternatives.

Securing and anonmyzing internet traffic is always going to be a cat and mouse game, just as antivirus software development and malware development always will be. It helps to stay constantly informed. In the world of computer technology, everything evolves quickly.

Kim Crawley is currently a security author for InfoSec Institute. She has worked in tech support and as an IT technician for a variety of smaller businesses. She has learned about vulnerabilities in network protocols, operating systems, applications and hardware and uses that knowledge in her everyday work in IT.
Learning how malware is developed and how cracking works informs her views on keeping networks secure.

I am pretty new to Tor and I don’t know much about security and other computer related jargon but I do know that For has recently been “busted” by using DDOS (whatever that is) What would you recommend for the average computer user to increase their security? Windows, Mac or Linux? Which browser and which VPN and any other tips? The de-anonymisation of Tor by the US government is very worrying

John McAnders

100% secure is possible, it may not be easy, but it certainly is possible.

RedRedMane

And here we were thinking ( thanks to the newest “hype!”) that adding a Raspberry PI router to an unsecured WiFi connection and accessing the Darknet through THAT would make us all “cyber-ghosts” once again!!! But a Raspberry PI system would actually WEAKEN the already compromised TOR encryption system, not “enhance” it!!!!! In short, the FBI would probably use “Geo-IP” to trace the signal to it’s point of origin, use a GPS based system to view the pinpointed location, and show up before you could even start the “downloads!!!” This happened to one very clever illegal porn downloader. When he was apprehended, he was in a state of stunned disbelief!!! He was amazed at how “FAST” the authorities tracked the anonymous, cloaked, Raspberry PI’d signal and arrested him!!! “They arrived in less than 10 MINUTES!!!!!” It did not take days of “investigative work”, sleuthing, and paperwork.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Does your employer pay for training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills you knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam